How do I detect them?

This is the best method to determine if your system has been compromised, but it requires that you:

A. have a basic understanding of the state of an "active connection" and

B. that you're familiar with the port numbers commonly used by the trojans.

With regards to the state of an "active connection". There are several types, but there's really only one type that you need to know about.

The "listening" state - which is when your PC listens on a port number, awaiting for another PC to make a connection to it. The "listening state" is the state that the trojan will be in after your system is rebooted.

NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.

If you know of another Trojan (and/or a corrections) to add to the above, please me.

How to detect

If after following the directions outlined further down below, you've determined that your PC is "listening" on any of the above ports. It's a very strong indicator that your PC has been compromised. Click the appropriate link to learn how to remove the trojan involved.

Important Notes:

Although Back Orifice and NetBus are commonly found to be configured to use their default port/s in establishing the connection between the client and server, they have been found to be configured to use different port/s.

Regardless what port/s they may be configured to use, the important thing to know is that if your a home user (and your PC doesn't participate on a LAN or a SoHo LAN), your PC shouldn't be "listening" on any port (or ports) after it's been rebooted.

Keep in mind that for some PC's that are connected to a LAN or a SoHo LAN, it is common for certain ports (137,138 and 139) to be listening. Such ports are used for NetBIOS, and sometimes port 135 (RPC) may be used as well.

How to determine what ports are "listening"

Perform the following steps:

Step 1. - Reboot your PC. Do NOT establish a dial-up connection.

Click Start | Shut DownClick RestartClick OK

Step 2. - After you reboot your PC and before doing anything else, open a DOS window.

Click Start | Programs | MS-DOS Prompt

NOTE: If you don't have a shortcut to the MS-DOS Prompt, don't worry. You can

Click Start | RunType commandClick OK

Step 3. - Type "netstat -an >>c:\netstat.txt" (without the quotes)

Type netstat -an >>c:\netstat.txtPress ENTER

Step 4. - Close the DOS window.

Type exitPress ENTER

Step 5. - Open Explorer

Click Start | Programs | Windows Explorer

Step 6. - Change to the C drive and double click on the netstat.txt file. It should open with NOTEPAD.

Click (C:)Double-click netstat.txt

Step 7.Look under the "Local Address" column and examine the port numbers for any connection found to be in a "listening" state.

For reference, the port numbers are shown as ":XXXXX" to the right of the IP address, where "XXXXX" is a 1 to 5 digit number.

Provided below are some examples of what you may might find:

The above example is typical of a home user's PC. The system (after a reboot) doesn't show any active connections. If your system looks like this, then congratulations! You have nothing to worry about.

The above example is typical of a PC on a LAN. The system (after a reboot) shows several connections in a listening state, used by NetBIOS. As mentioned above, the ports used by NETBIOS are ports 137 (nbname), 138 (nbdata) and 139 (nbsession).

Again, if your system isn't showing any active connections other than the ones related to using NetBIOS, then congratulations! You have nothing to worry about.

The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion, and whereby it's been configured to use the port 31337 (the default).

The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion, and whereby it's been configured to use port 31337 (the default).

The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion that's been configured to use port 4000 instead of the default 31337.

The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion that's been configured to use port 4000 instead of the default 31337.

If your system shows any ports in a listening state that you cannot identify or explain. It might be wise to further investigate the possiblity that your system may be compromised with one of these trojans using a different port other than the default/s.

If you do find your system "listening" on any of these ports. You should know whether it should or shouldn't be. If it shouldn't be, then it's wise to further investigate the possiblity that your system may be compromised with one of the trojans using a different port other than the default/s.

If you're unsure how to read your "netstat.txt" file, feel free to email me a copy. I'd be more than happy to take a look at it and let you know the results.My email address is mynetstat@commodon.com or you can click .